Dirty COW

This update patches the IPFire Linux kernel against a recently disclosed vulnerability called Dirty COW. This is a local privilege escalation bug which could be used by a local attacker to gain root privileges.

Misc.

A further patch fixes Intel processors with AES-NI which’s hardware supports encryption with 256 and 192 bit key length, but was not properly implemented in the Linux kernel

A fix to show the new unboundDNS proxy in the log section of the web user interface

Please help us to support the work on IPFire Project with your donation.

]]>
IPFire 2.19 - Core Update 106 releasedhttp://www.ipfire.org/news/ipfire-2-19-core-update-106-released
michael.tremer@ipfire.org (Michael Tremer)http://www.ipfire.org/news/ipfire-2-19-core-update-106-releasedTue, 01 Nov 2016 20:30:00 +0200
This is the official release announcement for IPFire 2.19 – Core Update 106 which comes with a number of exciting new features, many bug fixes and a few security improvements.

Change of the DNS Proxy

IPFire used dnsmasq as DNS proxy before which is now replaced by unbound. The latter is in contrast to the former software that is specifically designed as an DNS forwarding proxy or DNS recursor and implemented DNSSEC from early on.

Because of our decision to enable DNSSEC by default and various problems in dnsmasq we have been toying with the idea of replacing it for a very long time. Unfortunately development resources are tight and because of this being a substantial part of the system and hooked into many other things, this was a very time-consuming project.

Finally, this new solution should now bring various advantages:

Performance

unbound is multi-threaded and IPFire will start one thread per CPU core that is available. That will allow execution of multiple queries in parallel which should increase responsiveness and throughput.

The cache size is adjusted based on memory available on the system. Bigger systems will have a significantly bigger DNS cache which will speed up browsing especially in larger environments like universities with a large number of clients.

Better DNSSEC reliability

DNSSEC is enabled by default (as it was before). However, unbound does not rely on the upstream servers being validating resolvers, too. This will bring DNSSEC to many more users. DNS servers are now tested before being passed on for use and any malfunctioning DNS servers won’t be used. Status of this can be seen on the user web interface.

Enhanced Features

DHCP leases will be published into the local DNS zone as before. Static leases are imported as well which is a new feature. Everything IP address will resolve to its hostname by publishing PTR records.

Misc

Passwords are now saved with a stronger hash (SHA512) which was MD5 before. Please change the root password using the setup tools to store your passwords with the improved hash.

Firewall: An incorrect validation of destination IP addresses for rules that use Destination NAT caused that some valid addresses were not accepted. This is fixed now.

PPP connections no longer require a password being set (some providers require these being empty)

The NTP client now waits correctly for WiFi connections being established before continuing to boot

The samba add-on enables SMBv2 by default

IPFire now ships the firmware for MediaTek 7601 series devices

Various old software components that are not used any more are cleaned up from the systems

The iptables page on the web user interface has been improved to be more readable

Updated Packages

This update installs a large number of updated packages:

openssl 1.0.2j which fixes some implementation errors and DoS introduced in the 1.0.2i update

Please help us to support the work on IPFire Project with your donation.

]]>
IPFire 2.19 - Core Update 105 releasedhttp://www.ipfire.org/news/ipfire-2-19-core-update-105-released
michael.tremer@ipfire.org (Michael Tremer)http://www.ipfire.org/news/ipfire-2-19-core-update-105-releasedFri, 23 Sep 2016 16:30:00 +0200
This is the official release announcement for IPFire 2.19 – Core Update 105 which patches a number of security issues in two cryptographic libaries: openssl and libgcrypt. We recommend installing this update as soon as possible and reboot the IPFire system to complete the update.

IPFire is now shipping openssl in version 1.0.2i which patches all of the above security vulnerabilities.

libgcrypt Security Flaws

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt’s random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions and is filed under CVE-2016-6316.

Please help us to support the work on IPFire Project with your donation.

]]>
IPFire 2.19 - Core Update 104 releasedhttp://www.ipfire.org/news/ipfire-2-19-core-update-104-released
michael.tremer@ipfire.org (Michael Tremer)http://www.ipfire.org/news/ipfire-2-19-core-update-104-releasedTue, 20 Sep 2016 18:42:43 +0200
This is the official release announcement for IPFire 2.19 – Core Update 104.
This update brings you a new kernel under the hood and a from scratch rewritten Guardian.

Linux 3.14.79

The Linux kernel has been updated to version 3.14.79 and brings you various bug-fixes, stability improvements and supports more hardware.

Guardian

Gurdian is an Intrusion-Prevention-System that is hooked into Snort, the Intrusion Detection System. It reacts on reported events by blocking access for hosts where malicious traffic was detected to originate from. That enables IPFire to be a dynamic firewall and block any abuse or other unwanted behaviour automatically.

Since the old implementation was quite old and rather limited, Stefan Schantl started a complete rewrite which is faster, more efficient in resource usage and of course more reliable.

If you want to use Gurdian, you will have to install the guardian add-on package.

This Core Update updates Snort to version 2.9.8.2.

Misc

The IPFire web user interface is hardened against a potential environment variable injection attacked known under the name HTTPoxy. This was never possible to exploit in IPFire.

Add-ons

Updated

New packages

Indepently from this Core Update, libvirt has been released as a new add-on. Read all about it on its IPFire Planet post.

freeradius, console configuration only

A note to all testers: Please reinstall the final update if you have not installed it from the testing tree within the last few days. During the time of testing this update, the image has been changed and additional bugs have been fixed.

Web Proxy Improvements

The web proxy squid has been updated to the 3.5 series and various improvements for stability and performance were made.

On machines with slow harddisks or on installations with very large caches it was likely to happen that the cache index got corrupted when the proxy was shut down. This resulted in an unstable web proxy after the next start.

The shutdown routine was improved so that a cache index corruption is now very unlikely. Additionally we have means installed that allow us to detect if the cache index was corrupted and if so have it automatically rebuilt at the next start. This update will delete the presumably corrupted index on all installations and start a rebuild of the index, which could result in slow operation of the proxy for a short time after installing the update.

Misc

Fix the setup command to correctly show more than 6 network controllers

Please help us to support the work on IPFire Project with your donation.

]]>
IPFire 2.19 - Core Update 102 releasedhttp://www.ipfire.org/news/ipfire-2-19-core-update-102-released
michael.tremer@ipfire.org (Michael Tremer)http://www.ipfire.org/news/ipfire-2-19-core-update-102-releasedWed, 04 May 2016 19:50:00 +0200
This is the official release announcement for IPFire 2.19 – Core Update 102. This update contains various security fixes in the OpenSSL library. It is recommended to install this update as soon as possible.

Yann Cam, an independent security researcher, discovered to vulnerabilities in the IPFire Web User interface that could be used in some circumstances. In the ipinfo.cgi file, a cross-site scripting attack could be executed on logged in users and in two more CGI files (proxy.cgi and chpasswd.cgi), a remote code execution vulnerability was found which allowed attackers to use the aforementioned cross-site scripting attack to execute shell commands as an unprivileged user on the IPFire system.

These attacks are only possible to perform on an admin’s computer and only in that instance when the administrator is logged in to the web user interface. Of course we recommend to install this update as soon as possible to close these vulnerabilities.

We would like to thank Yann to look closely at the IPFire code and help us to improve it and we would like to invite everyone who wants to do so as well and report any bugs or security vulnerabilities that they may find.

Security Fixes in other packages

The web proxy squid was patched against a vulnerability filed under CVE-2016-3947 that cannot be exploited in IPFire.

Connection Tracking Issues

On many systems, some protocols that require special care by the connection tracking implementation failed to traverse NAT. These include FTP, SIP and PPTP and where unfortunately not discovered in the testing phase of Core Update 100 before.

Those connection tracking helpers are now enabled by default on all migrated systems.

Misc.

installer: A bug on x86_64 systems let the EXT4 filesystem creation fail if a previous XFS filesystem was installed on the target partition before.

Please help us to sustain the work on IPFire Project with your donation.

]]>
IPFire 2.19 - Core Update 100 releasedhttp://www.ipfire.org/news/ipfire-2-19-core-update-100-released
michael.tremer@ipfire.org (Michael Tremer)http://www.ipfire.org/news/ipfire-2-19-core-update-100-releasedThu, 14 Apr 2016 07:00:00 +0200
It is a great moment to us and we are very proud to release the 100th Core Update today.

This update will bring you IPFire 2.19 which we release for 64 bit on Intel (x86_64) for the first time. This release was delayed by the various security vulnerabilities in openssl and glibc, but is packed with many improvements under the hood and various bug fixes.

64 bit

There will be no automatic update path from a 32 bit installation to a 64 bit installation. It is required to manually reinstall the system for those who want to change, but a previously generated backup can be restored so that the entire procedure takes usually less than half an hour.

There are not too many advantages over a 64 bit version except some minor performance increases for some use cases and of course the ability to address more memory. IPFire is able to address up to 64GB of RAM on 32 bit, so there is not much need to migrate. We recommend to use 64 bit images for new installations and stick with existing installations as they are.

Kernel Update

As with all major releases, this one comes with an updated Linux kernel to fix bugs and improve hardware compatibility. Linux 3.14.65 with many backported drivers from Linux 4.2 is also hardened stronger against common attacks like stack buffer overflows.

Many firmware blobs for wireless cards and other components have been updated just as the hardware database.

Hyper-V performance issues

A backport of a recent version of the Microsoft Hyper-V network driver module will allow transferring data at higher speeds again. Previous versions had only very poor throughput on some versions of Hyper-V.

Firewall Updates

It is now possible to enable or disable certain connection tracking modules. These Application Layer Gateway (ALG) modules help certain protocols like SIP or FTP to work with NAT. Some VoIP phones or PBXes have problems with those so that they can now be disabled. Some need them.

The firewall has also been optimised to allow more throughput with using slightly less system resources.

Misc

Many programs and tools of the toolchain that is used have been updated. A new version of the GNU Compiler Collections offers more efficient code, stronger hardening and compatibility for C++11

Please help us to sustain the work on IPFire Project with your donation.

]]>
IPFire 2.17 - Core Update 99 releasedhttp://www.ipfire.org/news/ipfire-2-17-core-update-99-released
michael.tremer@ipfire.org (Michael Tremer)http://www.ipfire.org/news/ipfire-2-17-core-update-99-releasedSat, 05 Mar 2016 12:00:00 +0200
This is the official release announcement for IPFire 2.17 – Core Update 99. Another OpenSSL security fix has been released, so that we created this Core Update that fixes that among some other security vulnerabilities.

IPFire is most likely not vulnerable by the most famous of all these vulnerabilities known as DROWN. However we recommend updating as soon as possible and we also recommend to reboot the system afterwards.

CVE-2015-7547 in glibc/getaddrinfo

The getaddrinfo() interface is glibc, the system’s main C library, is used to resolve names into IP addresses using DNS. An attacker can exploit the process in the system performing this request by sending a forged reply that is too long causing a stack buffer overflow. Code can potentially be injected and executed.

IPFire is however not directly exploitable by this vulnerability as it is using a DNS proxy, that rejects DNS responses that are too long. So IPFire itself and all systems on the network that use IPFire as DNS proxy are protected by the DNS proxy. However, we decided to push out a patch for this vulnerability as quickly as we can.